NHS IT Leaders losing sleep over GDPR and cybersecurity fears

Makes you WannaCry

Cyber-attacks like the WannaCry incident which crippled many National Health Service (NHS) trusts in May this year brought into sharp focus the aging IT infrastructure and unpatched systems leading to the disruption of critical patient services.

Cybersecurity concerns were further highlighted in the Digital Health Intelligence annual survey 2017, with these priorities having grown 66% between June 2016 and July 2017. A freedom of information request also revealed 28 out of 60 NHS trusts in England succumbed to ransomware attacks during 2016.

EU GDPR burdens

Compounding this is the looming EU General Data Protection Regulation, which comes into force on the 25th May 2018, which seeks to strengthen and harmonize data protection laws across the European Union. All UK organizations, including NHS trusts and other healthcare institutions, will need to comply with GDPR, even after Brexit, with breaches resulting in penalties of up to €20 Million.

Unfortunately, NHS trusts are easy targets for cyberattacks arising from accidental internal data leaks, determined external attacks, and vulnerable legacy IT systems. Compromised patient data is increasingly valuable, as it does not change and can be sold or used for various types of fraudulent activities by cybercriminals.

Breaches of any kind erode public confidence in the NHS’s ability to safeguard of Patient-Identifiable Information (PII), and in a GDPR world can expose the organization to punitive fines – cash they can ill-afford and would be better used proactively to prepare for, monitor and respond to cyber-attacks and regulatory compliance mandates.

Login details for all to see

NHS trusts generally have a good history of maintaining patient confidentiality. However, staff shortages, reliance on agency workers and dependence on visiting consultants who need to access patient information quickly, with email logins taped on computer screens.

While not intentional, this violation of internal NHS security policies increases the risk of patient identifiable information being maliciously leaked via email or accidentally sent to the wrong person outside of the NHS.

Consent and sharing PII

Sharing confidential PII securely across NHS trusts and social care organizations is vital for quality of care inspection, local planning, research and evaluating public healthcare goals.

Strict GDPR consent rules now mean that informed and explicit consent is required for use of data rather than implied consent. NHS trusts need to ensure that patients are aware of exactly what PII they have, the source of the data, how it is stored, access rights and how the PII will be used.

NHS cyber resilience strategy

Cyber resilience is a paradigm shift in cybersecurity — an acknowledgment that attacks email systems are likely to continue and despite best efforts, they will sometimes be successful. By placing email at the heart of a data governance and cyber resilience strategy, NHS trusts can mitigate risks of this dominant threat vector.

An effective strategy focuses not just on protecting against attacks entering. It must also ensure effective communication that can be maintained during and after a breach, and critical data can be rapidly recovered to get things back up and running as quickly as possible after the threat is neutralized.

This will help safeguard against growing cybersecurity threats to patient data and normal operation and patient care, not to mention demonstrate accountability in response to strict GDPR regulatory demands.

The UK Healthcare Show 2017 is right around the corner and the Mimecast team is excited to be attending this year.

Visit us at stand number: S128 at the London Olympia on the 27th September to find out how Mimecast helps the NHS and other healthcare organizations address cybersecurity concerns and simplify GDPR compliance for email.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox